I have created this script based on a question posted on the Microsoft TechNet forum. This script can be used to “dynamically” update the group member based of a LDAP attribute.
In this example, I will be adding users who have the location attributes (l) populated with “SiteA” value into a security group called SiteA.
The following command will remove the existing group members from SiteA group.
dsget group "CN=SiteA,OU=TestOU,DC=Infralab, DC=local" -members | dsmod group "CN=SiteA,OU=TestOU,DC=Infralab, DC=local" –rmmbr
and the following command will filter all objects based on the location code (l=SiteA) and add them to the SiteA group.
dsquery * -Filter "(l=SiteA)" | dsmod group "CN=SiteA,OU=TestOU,DC=Infralab, DC=local" -addmbr
You can use the same logic to copy group members from one group to another. Here is an exmaple:
dsget group "CN=Group1,OU=TestOU,DC=Infralab, DC=local" -members | dsmod group "CN=Group2,OU=TestOU,DC=Infralab, DC=local" -addmbr
The above command will copy members from Group1 to Group2.
2 comments:
Hello.
Is it possible to exclude users who belong the group already?
I would appreciate it shows me how to do it.
Regards
I am having a problem using the first of these commands, I am getting the "dsmod failed:You must specify at least one attribute to be modified."
here is my exact command issued via powershell
dsget group "CN=grp.sig.retail,OU=SignatureGroups,OU=GroupsAndUsers,DC=americanchartered,DC=com" -members | dsmod group "CN=grp.sig.retail,OU=SignatureGroups,OU=GroupsAndUsers,DC=americanchartered,DC=com" –rmmbr
that fails with the above error, running the first part before the pipe returns a list of the group members, as expected.
The CN is exatly the same as I "copy and pasted" it from the DSGET part of the command.
Any help would be greatly appreciated
Thanks Bob Sawyer
Post a Comment